If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Preventing CSRF in ASP

Guys,
I have an classic asp page which has a form submitting to itself. I have to prevent CSRF in the page. So, I went with using a hidden random variable in the form and a session variable to store it. Here is similar code.

This works fine unless user clicks back button.If back button is clicked, Somehow the session and form value don't match for first time (clicking on Add button). Next Clicking on Add works fine.

Please help me. I got Stuck here.

Any knowledge regarding session and back button is appreciated.

mypage.asp
------------
<html>
<body>

<%
if(request.form("add")="true") then
'here is the anti-csrf check
if(Int(session.Contents("uid"))=Int(request.form("uid"))) then

I've never tried before, but I'm under the understanding that the Back button won't submit any data, and any call to request.form will return null, especially on the first page where no data has been submitted yet. Can you show a link to the site?

I don't think that you are going about this the write way. What I would do is generate a random number and store it in the session as well as on the form. Then when the form is submitted, make sure the 2 match.

It's truly shameful that I have to tell people that they are asking .NET questions in a classic ASP board. . .